DFIR-02 : Journal Forensics

NTFS Journaling (Transaction Logging)
Windows NTFS uses a journaling technique that records a sequence of file changes in the $LogFile. Windows does a good job at maintaining data consistency after critical failures that cause the system to shut down unexpectedly. Specifically, NTFS logs file transactions when:
Creating a file
Deleting a file
Extending a file
Truncating a file
Setting file information
Renaming a file
Change the security applied to a file
The previously analyzed $MFT file keeps a $LogFile Transaction entry at offset 08 to 15 and this is how MFT correlates with other metadata attributes in the NTFS file system.
$MFT $LogFile Transaction Entry
From a forensics' perspective these records are valuable when it comes to creating a timeline of transactions.
NTFS change tracking journals :
$UsnJrnl:
Tracks file and directories changed on the system via the USN (Update Sequence Number) journal.
Available in the root directory under $Extend folder.
Contains two ADS (alternate data stream) : 
$Max : Where the meta data of change log is stored
$J : Where the actual change log records are stored.
$LogFile:
Track changes to MFT metadata.
Available at the root directory.
Tools
In order to parse these journals here are some great free tools :
​UsnJrnl2Csv​
​Triforce ANJP​
​KAPE​
Tutorial
Here is a great video by @13cubed on how to parse and use these journals : 
​

DFIR - Previous

DFIR-01 : $MFT

Next - DFIR

DFIR-03: RDP Authentication Artifacts

Last modified 1yr ago

Copy link

Outline

NTFS Journaling (Transaction Logging)

NTFS change tracking journals :